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(54) Access control In a data processing system 

(57) In a method of controlling access in a data processing system, firstly a set of attributes is def^ for targets that may 
be accessed and for accessors that may access the targets. A set of access security classes is then ^ned in terms of 
these attributes or other classes. Each class has a set of allowable operations associated with it. ^target te assigned i 
classification comprising one of the classes and a set of allowed operations. Each accessor is assigned an authority 
consisting of one of the dasses and a set of allowed operations. An accessor Is allowed to access a target only If there is i 
common sub-class contained in both the accessor* authority and in 

operation is defined for that subclass and appears in both the accessor* authonty and m the target's classification, 22. 
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ACCESS CONTROL MECHANISM 

This invention relates to an access control 
mechanism data processing system. 

According to the invention there is provided 
a method of controlling access in a data processing 
system, comprising 

(a) defining a set of attributes for targets that 
may be accessed and for accessors that may 
access the targets, 

(b) defining a set of security classes, each 
security class comprising a combination of 
said attributes and/or other classes, 

( c ) associating with each security class a set of 
operations applicable to that class, 

( z ) assigning a clsssif icarion to each target, 

comprising one zf said classes and a set of 
allowed opera: i z r.s , 

(e) assi-nir.g an a -".cr izy -o each accessor, 

allowed operations , 

( f ) in response :: = request by an accessor 
perform an opera-ion on one of the zargezs, 
permitting the operation only if -here is a 
common subclass contained both in the 
accessor's authority and in the target's 
classification, and if the operation is 
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defined for that subclass and appears both in 
the accessor^ authority and in the target's 
classification. 

One embodiment of the invention will now be 
described by way of example, with reference to the 
accompanying drawings, of which: 

Figure 1 is a block diagram of a distributed 
data processing system embodying the invention; 

Figure 2 is a flow chart showing the way in 
which access is controlled; and 

Figure 3 is a schematic diagram showing an 
example of a set of security classes. 

Referring to Figure 1, the distributed data 
processing system comprises a plurality of data 
processing installations 10 , which communicate with each 
other by way of an interconnection network 12. The data 
processing installations may be individual workstations, 
or may be computers with attached workstations. The 
network may be a local area network, or 
telecommunications lines, or a combination of both. 

The system includes a- number of objects to 
which it is required to control access, these objects 
being referred to herein as targets. For example, the 
targets may include data i:ens such as documents or 
files, stored in the individual c=:a processing 
installations. 

These targets may be accessed by various 
entities, referred to herein as accessor-. Jor exar.ple, 
an accessor may be a human end user, an individual work 
station or a software entity within a computer. 



I 




- 3 - 

The access control mechanism for the system 
is implemented as follows. 

First, a set of attributes is declared for 
the system. Each attribute is a unique identifier 
within the set for the system. The attributes are 
chosen as names for individual characteristics of the 
system components which are known to be significant to 
access control. Thus, for example, data items may have 
the attributes "confidential", "project N", "staff pay" 
etc., and end users may have the attributes "employee", 
"manager" etc. 

A set of security classes is then defined, 
each class consisting of a logical combination of one or 
more of the attributes and/or of other defined classes. 
Each of these classes may consist of one or more 
subclasses, where a subclass is defined as the result of 
deleting zero or more logical OR alternatives from a 
class, or replacing one or more of its qualifiers by a 
subclass of the qualifier. (See the definition of a 
class below) . 

A set of allowable operations is then 
assigned to each class and attribute. Typical 
operations might be, for example "interrogate", "modify" 
or "summarise" ^ 

Each of the targets is assignee a 
classification consisting of one of the security 
classes, along with a set of allowable operations, 
chosen from those of its class. 

Similarly, each of the accessors is assigned 
an authority consisting of one of the security classes, 
along with a set of allowable operations, chosen from 
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those of the class. An accessor which may itself be 
accessed has both a classification and an authority. 

The definitions of the classes, the 
authorities, and the classifications are all stored* in a 
database in the system, so that they can be accessed by 
the access control mechanism. 

Referring now to Figure 2, when a particular 
accessor requires to access a particular target to 
perform a specified operation, the operation of the 
access control mechanism is as follows: 

First, the access control mechanism checks 
(21) whether there is a common subclass contained both 
in the accessor r s authority and in the target's 
classification. If not, then no access is permitted. 

If, however, there is a common subclass, the 
access control mechanism now checks (22) whether there 
are any operations defined for this common subclass 
which appear both in the accessor' s authority and in the 
target's classification. If not, then again no access 
is permitted. 

If there are such operations, then the 
accessor is allowed to perform those, but no others, on 
the target. The operation required is, therefore, 
allowed if it is one of these. 

The form of a security class may be expressed 
as follows, using an extended Backus-Naur notation: 

class-name, ':', definition-list, 1 ; f ; 
and-list J or-list; 
qualifier, [ and qualifier]; 

qualifier, [ or qualifier]; 
attribute { ciass-nair.e; 



class-definition 

definition-list 

and-list 

or-list 

qualifier 
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An arid-list allows the expression of a list of 
qualifiers which must always be present in an instance of 
the class defined. An or^list allows the expression of a 
list of qualifiers one or more of which must be present in 
an instance of the class defined. Other forms of expression 
could be provided such as, for example, to specify the 
combination "any N of", or "exclusive OR". They could then 
be used to allow more concise class definitions and be 
represented in the access control mechanism for greater 
efficiency. A qualifier is defined as an attribute or a 
class-name so that a class may be expressed in terms of 
other classes. 

As an example, consider a system in which 
documents are stored . electronically and in which access to 
the documents is to be controlled according to the 
trustworthiness and position of the accessors. The 
documents are classified using the attributes 
"confidential", "pay" and "plans". Some documents about pay 
are confidential, some are not. Some documents about plans 
are confidential, some are not. Some documents are 
confidential but are not concerned with either pay or plans. 

In this example, the following security classes 
may be defined: 



(i) all: all-conf cir topic; 

(ii) aii-conf: other-conf or conf-topic; 

(iii) other-conf: conf; 

(iv) conf-topic: conf and topic; 

(v) topic: pay o£ plans; 



Figure 3 shows these classes schematically. 



classes . 
operation 



A set of operations is defined for each of these 
For example, the class "all* may have the 
"interrogate" and "modify" associated with it, 
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while the class "topic" may have the operation "summarise" 
associated with it. 

Each document held, in the system has one of these 
classes assigned to it as its security classification, along 
with a set of allowed operations. For example, one 
particular document may be assigned the classification 
"conf-topic" . 

Similarly, each accessor of the system is 

assigned one of the classes as an authority along with a set 

of allowed operations. For example, a particular grade of 
employee may have the authority "topic". 

It will be seen that this employee would not be 
allowed to access documents with the classification 
"conf-topic" since conf-topic and topic do not have any 
common sub-class, (Topic is not a subclass of conf-topic 
since conf-topic consists of an AND combination, rather than 
an OR). However, this employee would be allowed to access 
documents with classification "topic", to perform operations 
which appear both in the employee's authority and the 
documents classification. 

By way of example, the following format may be 
used for representing the security classes, and storing them 
in the system. These format definitions refer to "rights' 1 
rather than operations. A right is a collection of 
operations to all of which the same access control rules 
apply. Thus "right" may be substituted for "operation" in 
the previous description. 



class name(12 bits): 



an identifier chosen to be 
unique for the system within 
which access is controlled. 
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class designator (4 bits): value 0000 signifies an OR list; 

i.e. combination of qualifiers 
may appear in an instance of 
this class , 

value 0001 signifies an AND 
list; i.e. all qualifiers must 
appear in an instance of this 
class, 

other values reserved for 
possible use. 



authority (16 bits): 



this is a pointer to the 
definition of an authority 
(which is a security class with 
rights and therefore has this 
same format); a value of sixteen 
zeros indicates that no 
authority is associated with the 
class. 



number of qualifiers (8 bits): an unsigned binary number 
___ indicating the number of 

qualifiers which follow. 



Qualifier : 



this may occur one or more times 
as indicated by "number of 
qualifiers 11 . Each occurrence 
has the following format: 



kind of qualifier (1 bit): 



value 0 means class, 
value 1 means attribute. 
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qualifier value (15 bits) 



If "kind of qualifier" has the 
value 0 this is a pointer to 
another class; if "kind of 
qualifier" has the value 1 this 
is a binary string representing 
an attribute. 

rights pointer (15 bits) : a pointer to the list of rights 

which apply to the class. 

A list of rights has the following format: 

number of rights (8 bits): an unsigned binary number 

indicating the number of rights 
which follow. 



right : this may occur one or more times 

as indicated by number of 
rights. Each occurrence has the 
following format: 

right name (16 bits): a binary 
string representing a right of 
the class, 

list of operations (16 bits): a 
pointer to a list of operations 
made available to the possessor 
of the right. 

For example, the above-mentioned "all : all-conf or topic;" 
would be represented as follows:- 
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5. A data processing system, comprising 

(a) means for storing a set of access classes, each 
access class comprising a combination of 
attributes for targets that may be accessed and 
for accessors that may access the targets, each 
access class having associated with it a set of 
operations applicable to that class, 

(b) means for storing a classification for each 
target, the classification comprising one of said 
classes and a set of allowed operations, 

(c) means for storing a clearance for each accessor, 
the clearance comprising one of said classes and 
a set of allowed operations, and 

(d) means operable in response to a request by an 
accessor to perform an operation on one of the 
targets for permitting the operation only if 
there is a common subclass contained both in the 
accessor f s clearance and in the target's 
classification, and if the operation is defined 
for that subclass and appears both in the 
accessor's clearance and in the target"s 
classif ication, 

6 # a data processing system having an access control 

mechanism substantially as hereinbefore described with 
reference to the accompanying drawings. 
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